Techniques
Sample rules
Exports Registry Key To a File
- source: sigma
- technicques:
- t1012
Description
Detects the export of the target Registry key to a file.
Detection logic
condition: all of selection_* and not all of filter_*
filter_1:
CommandLine|contains:
- hklm
- hkey_local_machine
filter_2:
CommandLine|endswith:
- \system
- \sam
- \security
selection_cli:
CommandLine|contains|windash: ' -E '
selection_img:
- Image|endswith: \regedit.exe
- OriginalFileName: REGEDIT.EXE